Spammers Attack and Deface Over 60,000 Websites Using a WordPress Exploit

According to a security research firm, over 60,000 websites that haven’t been updated to the most recent WordPress version 4.7.2 are under attack in a mass defacement campaign.

WordPress 4.7.2 was released two weeks ago fixing a vulnerability in the WordPress REST API. “An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint,” WordPress had noted in its security bulletin. The bug, reported by Marc-Alexandre Montpas of Sucuri Security, allows a remote unauthenticated attacker to modify the content of any post or page within a WordPress site.

WordPress REST API was added and enabled by default on version 4.7.0 or 4.7.1. Sucuri, a web security firm, warned that any website that is on these versions of WordPress is currently vulnerable to this privilege escalation vulnerability.

Mass defacement campaign uses WordPress exploit

Sucuri researchers, who have been following this exploit, have reported that the bug is being exploited by four different hacking groups. Sucuri said websites that haven’t been upgraded to the latest WordPress version are under attack in this mass defacement campaign. These attacks are slowly growing, reaching to nearly 3,000 defacements a day.

“In less than 48 hours after the vulnerability was disclosed, we saw multiple public exploits being shared and posted online,” Daniel B Cid, the founder and CTO of Sucuri, wrote. “With that information easily available, the internet-wide probing and exploit attempts began.”

Researchers noted that even though WordPress has an auto-update feature enabled by default, along with an easy 1-click manual update process, not every site has been updated to the latest version. “Based on data collected from Sucuri’s honeypot test servers, four attackers have been busy in the past week trying to exploit the flaw,” researchers wrote.

These defacement campaigns are increasing by the day, and researchers believe it will lead to SEO spam (Search Engine Poisoning) attempts moving forward. Attackers will use targeted sites to promote their own products or sites and will likely use popular websites to post malware through links and images abusing this vulnerability. Researchers added that the sites suffering from SEO-targeted defacements also have their SERP (Search Engine Result Page) indicator affected and risk losing their ranking on search engines, which in turn drives down their traffic.

To avoid being one of those 65,000 websites, Sucuri advises to update to WordPress v4.7.2 to avoid being a target of this ongoing campaign.